Addon API Security Flaw: Bank is Accessible from Housing Storage Chests Using Addon API

Infinity_Knives · May 2020

RequestMoveItem Lua API call is successful between bank and inventory even though I am accessing a storage chest.
I assume this is unintended behavior as it is impossible to perform such an action in the vanilla UI.
Here is the addon that replicates such a bug: https://esoui.com/downloads/info430-CDGBankStacker.html
Even though this addon makes it easy to replicate this bug, I assume other addons could potentially exploit such a bug for even more broken interactions.

Steps to replicate:

Install add-on from link above.
Split a stack of a stackable item and deposit one stack into the bank.
Go to housing and access storage chest.
Observe successful stacking to bank from chat log and item count.

Here's a link to a video proving such an action is possible: https://youtu.be/X3TrDGdtjDE

EDIT:
Here's the ticket number for my in-game bug report submission: 200525-011665

Dolgubon · May 2020

Hey, i think I actually asked @ZOS_ChipHilseberg about this awhile ago. The answer I got was along the lines of 'it's not really exploitable so we'll leave it be'

Note that it's additionally possible to withdraw items from storage as soon as you enter the house. Also in general, add-ons can do a lot of stuff that's not possible in the UI.

Karm1cOne · May 2020

while i agree this is not an expected interaction, how would this be exploitable? it doesnt allow duplication, just quick movement between storage locations, and only in a home you own.